Tag Archives: DRI ANZ

BC Project Management, the cost of Disaster Recovery, “Selling” Business Continuity, and more!

Be sure to read through the latest additions from DRI ANZ:

To view all articles from DRI ANZ, please click here.  For more information on DRI ANZ, please visit their website.

How to ‘Sell’ Business Continuity to Four Generations of Workers


To view this article in its original location, please click here.

Business continuity is everybody’s business. While the principles and the planning may be better carried out by BC specialists, it’s the organisation as a whole that needs to apply them. However, a one-size-fits-all approach may not be effective when you’re trying to get the message across. It’s a fact that many organisations now have as many as four generations of employees. Each age group has its own characteristics, culture and way of doing things. As you work with colleagues to get BC in place and make it effective, knowing a little about how to ‘sell’ it to each group could help a lot.

The four generations concerned go by different names, but here are some of the more common ones.

  • Traditionalists. Aged 70 and upwards (!), these employees continue to work and achieve, either through financial necessity or simply as a choice. Traditionalists are often hard-working, risk-averse and detail-oriented, with a focus on the long-term. ‘Sell’ BC to them as a well thought-out plan that keeps the organisation safe.
  • Baby Boomers. With an age range between 50 and 70, they still have time to think about career progression. They also typically favour good management of relationships, involvement in decisions and team-working. They may therefore be more likely to ‘buy into’ your business continuity goals if you can define recommendations together.
  • Generation-X. Somewhere between 35 and 50, and focused on results and work-life balance, while also demonstrating greater individualism. Head right for the benefits and keep the analysis (which you still need to do) in reserve. Mentioning the technology that drives BC actions and BC advantages for employees’ families may be good as well.
  • Millennials (also known as Echo-Boomers and Generation-Y). Younger than 35, these employees are technology-aware with a desire for instant information and innovation. Business continuity that is presented as an opportunity to do better, not just as protection against doing worse, can be a smart way to get their attention and ‘buy-in’.

Will all your colleagues automatically fit into one of these categories? Possibly not – but perhaps these guidelines will help you better understand different points of view to make business continuity both attractive and accepted throughout your organisation.

Five Profiles to Ponder When You Start Testing Your Business Continuity


To view this article in its original location, please click here.

Good business continuity planning may be half the battle. But if you haven’t tested to check your plan works, then don’t expect to win. The example of organisations that did data backups, failed to test and found afterwards their files were unrecoverable proves the point. But how should you test your BCP? Approaches from other areas may have some useful pointers. Good software testing for instance is often a matter of mixing and matching human tester personalities. Here’s a tester profile model adapted for testing your BC plan and preparations.

  1. The person who asks ‘Why?’ Thinks it is pointless to waste resources on testing an unnecessary item when another vital item might be neglected. May tax some people’s patience, but can help to better focus your business continuity testing.
  2. The systems specialist. Knows some of the systems and processes of the organisation very well, but sometimes makes unsound BC testing suggestions when in unfamiliar territory. Suggestions tend to improve over time.
  3. The visionary. Doesn’t spend time on individual threats as much as the possible combinations that could truly sink an enterprise. Finds less holes in your plan, but more likely to find the really big ones.
  4. The quick take. Spots the immediate weaknesses. The counterpart to the visionary in some senses. A useful resource for running quick, iterative checks on your plan as you develop it or before you show it to your own manager.
  5. The thick-skinned. Considers that keeping people and the organisation safe are top priorities and is prepared to dive into possible problems or shortcomings (while exercising tact where possible). Less of a specialist, but sees each test also as an opportunity to add to his or her personal collection of methods, tools, tips and tricks to make BC work properly.

If you can only have one tester, then number 5 – ‘thick-skinned’ – will often be the best compromise. Maybe you are that person! But if you can also get testers 1, 2, 3 and 4 to positively contribute to testing your business continuity, then that will be even better.

What Are You Missing in Threat Intelligence for Business Continuity?


To view this article in its original location, please click here.

There’s no doubt that threat intelligence is a hot topic today. The debate goes on about how best to collect and analyse information to identify existing and emergent threats. Attacker techniques and capabilities are scrutinised to draw up plans for defence. Software applications allow organisations to draw up ‘attack trees’ to methodically describe the security of their systems. These methodical approaches have merit because they encourage organisations to think through different scenarios and reinforce their business continuity management appropriately. However, threat intelligence also needs to go further. It needs thinking that is ‘outside the box’ (or outside the system).

Part of the challenge in effective threat intelligence is its narrow definition. The term ‘threat intelligence’ in business commonly refers to attacks on information assets (data, systems, IT and networking infrastructure). ‘Business threat intelligence’ and ‘strategic threat intelligence’ also refer back to the IT-oriented view of the world. With IT now such an important part of professional life, it is natural that it should be a focus of threat intelligence. But limiting the discussion to IT-based techniques designed to uncover IT-centric threats would be dangerous for at least two reasons.

Firstly, attacks on information assets are not always IT or even technology-based. Social engineering and simple theft of mobile computing devices have proved that point. Threat intelligence therefore needs to cover a wider span of possibilities (including someone trying to set fire to your data centre for instance). Secondly, threats in general to an enterprise or an organisation go beyond incidents in IT servers. The SWOT (strengths, weaknesses, opportunities, threats) acronym for instance is used in business planning. It takes into account financial, market, regulatory and competitive threats, among others. All of these are important for business continuity too. So while you gather your (IT) threat intelligence, remember to look at threats beyond IT to keep your business continuity effective for the rest of the organisation as well.

The Unbroken Chain from Business Continuity Assignments to Actions – and Back

Have you met the management acronym AOSTA? It’s a nice one to know, because it links assignments all the way through to actions (we’ll explain below), providing a handy checklist for business continuity practitioners in particular. It is also the name of a picturesque town in the Italian Alps, with picture postcard images that can make a handsome PC screensaver and handy daily reminder! But let’s talk about why AOSTA can help you to get business continuity right by using it both forwards and backwards.

Here’s what AOSTA stands for:

  • A is for Assignment. This is what people ask you to do or what your boss instructs you to do
  • O is for Objective. This is what you really should do. Hopefully it’s the same as your assignment. However, if you see divergence between what is asked for and the business continuity your organisation really needs, be prepared to politely but firmly argue your case.
  • S is for Strategy. This is how you will win the war, so to speak, so that your business continuity objectives will be properly met. It’s your overall plan, like deciding to use outsourced or cloud-based resources to do secure data backups, run important enterprise applications, and so on.
  • T is for Tactics. Each battle to be fought may need its own approach, and these are the tactics you use to win it. For example, to get the Finance department to agree to move its accounting to a cloud-based platform, you show them possible cost-savings as well as improved availability.
  • A is for Actions. This is the list of things to be done, such as reviewing cloud service providers and selecting one, organising and completing application migrations and so on. Some actions will be yours, but others will be done by the different departments concerned.

The beauty of laying out the chain like this is that you can also use it in the opposite direction. If you are thinking of a particular business continuity action, you can check to make sure that it really does relate to a tactic that supports a strategy that helps to achieve a useful BC objective.

How Much Does Disaster Recovery Cost?


To view this article in its original location, please click here.

Good disaster recovery may be what saves an enterprise from extinction. But disaster recovery planning and preparation has a cost in terms of time, effort and money. Senior management knows that a company will need to make an investment in order to build the robustness to survive an IT catastrophe. Now it wants to know how much that investment will be; not just to understand impacts on profitability, but also to be able to plan it appropriately to gain optimal protection with expenditure that can be controlled or phased over time.

There are two main ways to set about budgeting for a given expense. The first is use the last set of budget calculations and then factor in changes such as new or discontinued items and inflation. The second is to do the complete budget from the ground up (zero-based budgeting). Each method has its pros and cons. Whichever solution you choose, a good way to start is often to map out the major expenses including IT systems maintenance, specific DR items such as cloud storage or purpose-designed recovery solutions, utilities/power, and staff salaries. Additional expenses might then be rent, travel and third party assistance. Industry benchmarks where available can help to judge the realism of a budget, as can information about industry DR trends.

Next comes the question of who will pay for disaster recovery. The company as a whole pays for its own DR of course. However, the cost may be divided up among different departments according to their current use of IT resources and their DR needs (not everybody needs split-second data recovery). If your company is already running its IT department as a profit centre by billing groups according to usage, it may well make sense to finance DR in the same way. However, it is also important to maintain an overall perspective on DR expenditure to make sure that opportunities to leverage DR over several groups can be taken, thus lowering total costs and individual departmental contributions.

Making Sure the Right Procedures are Followed for Business Continuity


To view this article in its original location, please click here.

Procedures are there to make sure that things consistently get done the same – and the right – way. When good procedures for using technology are followed correctly, productivity and profitability can be increased. But technology used the wrong way can cause business discontinuity, where operations and productivity grind to a halt. A recent outage in a major cloud provider’s IT service was caused not by any technical problem, but by a failure to follow the correct operating procedure. So why did things go wrong and what lesson can other organisations learn from this case?

The service concerned was the Azure storage service provided by Microsoft. This service is updated from time to time like most IT installations. The procedure defined by Microsoft is to move to a new update little by little to allow the time to run checks and make sure that everything is still working properly. However, a misunderstanding about the status of a recent update led an engineer to apply a change over the entire service all at once. This change unfortunately resulted in the service becoming unavailable to users and the need to manually restart a certain number of systems. The key point is that although the correct procedure was defined, there was no safeguard to prevent employees from deviating from it (something that Microsoft has now fixed).

Organisations need to build in failsafe mechanisms to guard against human error. One of the simplest ones is the ‘four eyes principle’, in which two people must check and approve an action before it can be executed. Other failsafe devices may be mechanical or physical, such as automatic speed or rotation limits on machines. Information technology allows complex failsafe procedures to be programmed, but then those automated procedures also need to be properly checked by humans before they are set in motion. In summary, take a good look at your technology and your business continuity to also make a complete list of things that must not happen. Then make sure that you then have the appropriate preventive measures in place.